Skip to content

chore: bump lycheeverse/lychee-action from 2.5.0 to 2.9.0#3319

Open
dependabot[bot] wants to merge 1 commit into
developfrom
dependabot/github_actions/lycheeverse/lychee-action-2.9.0
Open

chore: bump lycheeverse/lychee-action from 2.5.0 to 2.9.0#3319
dependabot[bot] wants to merge 1 commit into
developfrom
dependabot/github_actions/lycheeverse/lychee-action-2.9.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 13, 2026

Copy link
Copy Markdown
Contributor

Bumps lycheeverse/lychee-action from 2.5.0 to 2.9.0.

Release notes

Sourced from lycheeverse/lychee-action's releases.

v2.9.0

Summary

This release updates the default lychee version from v0.23.0 to v0.24.2.

The main reason for this release is compatibility with the new lychee 0.24.x release artifacts. Starting with lychee v0.24.0, the archive layout changed, and the lychee binary may now be packaged inside a subdirectory. lychee-action now detects that layout automatically, so users can upgrade without changing their workflows.

If you use:

uses: lycheeverse/lychee-action@v2

you will get the new version once the floating v2 tag has been updated. If you pin exact versions, update to:

uses: lycheeverse/lychee-action@v2.9.0

What’s new from lychee v0.24.x

Better diagnostics

lychee now reports line and column numbers for detected links. This makes broken link reports easier to act on, especially in larger documentation sites or generated reports.

Text fragment checking

lychee can now check URL text fragments, such as links containing #:~:text=.... This helps catch links that point to a valid page but no longer points to the intended highlighted text.

Sitemap support

lychee can now read sitemap.xml inputs. This is useful for checking published websites or generated documentation sites where the sitemap is the easiest source of URLs to validate.

JUnit output

lychee now supports JUnit output. This makes it easier to integrate link checking results with CI systems and test reporting tools that understand JUnit XML.

Redirect and remap visibility

lychee can now show redirects and remaps more clearly. This helps explain why a URL was checked as a different final URL and makes debugging link-checking behavior easier.

Multiple config files

lychee now supports multiple configuration files and expanded config handling. This is useful for repositories that split documentation, website, or package-specific link-checking settings.

Timeout handling

lychee can now accept timeouts explicitly. This gives users more control over how strict their link checks should be for flaky or slow endpoints.

Fixes and reliability improvements

... (truncated)

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [lycheeverse/lychee-action](https://github.com/lycheeverse/lychee-action) from 2.5.0 to 2.9.0.
- [Release notes](https://github.com/lycheeverse/lychee-action/releases)
- [Commits](lycheeverse/lychee-action@v2.5.0...v2.9.0)

---
updated-dependencies:
- dependency-name: lycheeverse/lychee-action
  dependency-version: 2.9.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

@tangletools tangletools left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟢 Value Audit — sound

Verdict sound
Concerns 0 (none)
Heuristic 0.0s
Duplication 0.0s
Interrogation 21.2s (2 bridge agents)
Total 21.2s

💰 Value — sound

Routine single-line bump of the lychee link-checker GitHub Action from v2.5.0 to v2.9.0, consistent with the repo's established dependency-update pattern.

  • What it does: Updates the pinned version of lycheeverse/lychee-action in the links job of .github/workflows/check-lint.yml:81 from v2.5.0 to v2.9.0. This pulls in the underlying lychee v0.24.x engine (was v0.23.0), adding line/column diagnostics, text-fragment (#:~:text=) checking, sitemap.xml input support, and JUnit output.
  • Goals it achieves: Keep the docs link-checking CI step on a current, maintained version of its only tool. Prevents drift/staleness and gains more precise broken-link reports (line/col numbers) for the markdown/html/rst files the job scans.
  • Assessment: Good change. It's a one-line version bump of a third-party action used in exactly one place, matching the repo's documented history of regular lychee bumps (2.3.0→2.4.0 in #2943, 2.4.0→2.5.0 in #3049, visible in apps/tangle-dapp/CHANGELOG.md:17 and libs/ui-components/CHANGELOG.md:70). The pin-to-exact-tag style (rather than floating @v2) is the more reproducible choice and is already in use here
  • Better / existing approach: none — this is the right approach. Searched the repo (grep lychee) and confirmed the action is referenced in exactly one workflow file with no alternate link-checker present, so there is nothing to deduplicate or extend.
  • Model: opencode/zai-coding-plan/glm-5.2
  • Bridge attempts: 2
  • Bridge warning: opencode/kimi-for-coding/k2p7: bridge stream ended without value-audit content

🎯 Usefulness — sound

Routine, recurring bump of the only link-checker action in the repo; immediately reachable on every PR and wired identically to prior accepted bumps.

  • Integration: The bumped action at .github/workflows/check-lint.yml:81 is invoked by the links job (check-lint.yml:69-87), which triggers on all pull_request events to develop/master/feature/** (check-lint.yml:4-5) plus workflow_dispatch. It is the single consumer of this action in the repo (grep found one workflow reference). Immediately exercised on the next PR.
  • Fit with existing patterns: This is an established maintenance pattern: CHANGELOG.md entries in apps/tangle-dapp and libs/ui-components record prior accepted bumps (2.3→2.4 via #2943, 2.4→2.5 via #3049). No competing link-checking capability exists in the repo. The args/exclude-path/fail/env inputs are unchanged and remain valid for v2.9.0.
  • Real-world viability: The action runs in a fresh CI runner per PR with no concurrency or state concerns. The v2.9.0 release specifically adds automatic handling of lychee v0.24.x's new subdirectory archive layout, which is the realistic failure mode it needed to cover; fail: true and GITHUB_TOKEN wiring are unchanged. Happy path and the known packaging edge case are both handled upstream.
  • Model: opencode/zai-coding-plan/glm-5.2
  • Bridge attempts: 1

No concerns — sound change, no better or existing approach found. ✅


What this audit checks

It judges the change on its merits — not whether it was tasked out in an issue. Unticketed, fast-moving work is fine; the question is whether the change is good and whether a better or existing approach should be used instead.

Pass What it asks
Heuristic Vague title? Whitespace-only or cruft-bearing diff? (content signals only)
Duplication Do added function/class names already exist elsewhere in the repo?
Value Audit What does it do? What goal does it achieve? Is it good? Better architecture or already-exists?
Usefulness Audit Does it integrate and fit? Will it hold up in real use and actually get used?

Findings are concerns, not blocks — the human reviewer decides what to do with them.

value-audit · 20260713T193602Z

@tangletools

Copy link
Copy Markdown
Contributor

✅ No Blockers — 2983ad28

Review health 100/100 · Reviewer score 92/100 · Confidence 65/100 · 1 finding (1 low)

glm: Correctness 92 · Security 92 · Testing 92 · Architecture 92

Reviewer score is advisory once the run is complete and the verdict has no blockers.

Full multi-shot audit completed 1/1 planned shots over 1 changed files. Global verifier still owns final merge decision.

🟡 LOW Action pinned by mutable tag instead of commit SHA — .github/workflows/check-lint.yml

lycheeverse/lychee-action@v2.9.0 is tag-pinned, so a compromise or force-push of the v2.9.0 git ref would silently change the code running in CI. Best practice is SHA-pinning (e.g. @e7477775783ea5526144ba13e8db5eec57747ce8). This is a pre-existing pattern across the whole file (checkout@v4, setup-node@v6.4.0, cancel-workflow-action@0.13.1) and not introduced by this PR, so not blocking. Note: v2.9.0 release was signed with a verified GPG signature, which partially mitigates tampering risk at release time.


tangletools · 2026-07-13T19:36:10Z · trace

@tangletools tangletools left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ Approved — 1 non-blocking finding — 2983ad28

Full multi-shot audit completed 1/1 planned shots over 1 changed files. Global verifier still owns final merge decision.

Full immutable report for this review: trace

Summary comment for this run: full summary


tangletools · 2026-07-13T19:36:10Z · immutable trace

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant